Secure and Reliable Billing Software

A winning combination of enterprise-grade security to protect your customers and proven reliability to keep your recurring billing running smoothly.

PCI DSS Level 1 Compliant

Chargify is annually audited to maintain the highest level of PCI compliance for a service handling sensitive payment data. With billing information flowing through Chargify, you can comply with industry-standard security practices without the time and resources required to maintain such standings. Our number one goal is to protect you and your customers.

Download Chargify’s compliance validation

SOC 1 Type I Report

Service Organization Controls (SOC) exist to validate a company’s controls and ensure industry standards are followed. Our SOC 1 report was prepared in accordance with the Statement on Standards for Attestation Engagements No. 16 (a.k.a SSAE 16) and documents operational policies and procedures for Chargify’s system of internal controls.

Two-Factor Authentication

As a security best practice, we require secure passwords for all Chargify users. As an additional layer of protection, we provide the ability to enable two-factor authentication. When enabled, internal team members must enter an authentication token from their mobile device prior to gaining access to the Chargify interface.

Fine-Grained User Access Controls

Your teams play important roles in running your subscription business, but not every team member needs full access to Chargify’s interface. Customer support needs to access and manage subscription information, finance needs to view and export financial metrics, etc. Our access controls allow you define what users can see and do within your Chargify account.

Reliability You Can Count On

Your browser does not support SVGs

Data Redundancy

Our software runs in three datacenters across the US. On a daily basis, we export the database and store it in an offsite facility for extra redundancy.

Your browser does not support SVGs

24/7 Monitoring

Extensive performance and availability monitoring allows us to keep a close eye on system health and mitigate unforeseen issues early on.

Your browser does not support SVGs

99.99% Uptime

Uptime is as mission critical to us as it is to your business. Our trailing three-year uptime record is 99.99%, and we’re fanatical about maintaining that record.View our uptime report.

Your browser does not support SVGs

Hacker Tested

We regularly submit ourselves to hacking by the best "good-guy" hackers in the business. This practice ensures we remain the most reliable, secure system in the industry.

PGP Key

We provide a PGP key to encrypt sensitive communication that you send to us.

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQINBFv+9yoBEADNtJWF+QHJuWLIENYiA2QZIxvVhFk877xrkH1MkFUh1n4aJXuj /AdCoJIUut907rdvYYbCp3ouvFkzszyudHwKI5lfbsDvZXV0yLlt7trA3yaVdSB0 NqXXqwfuvtJ2lt+7+Dzpnqe4jdiB7mSFLOXn/3gJ1wIZREUQlyi7ID9RwpyJd8fG YDIjDMBBbSwC245syfmOgrR8dN0j9rBBodCoCrWvEJHFRwdqduVaFbrAQh8TVTDe 2s/0V6n2STEWJrvu5uTUo5qwb1cd1Ll25/P20sP57L1T8SrbaZ4i3LayfJR7H0K5 4XcuXcSqdhlRyti7gwR33I3YJuPruZsN1VO/8u7QgSO7IuNVI8o+94YuHQmQw2mb 8S5ug0BOkUkRca5CdtW5MFo84Ep8EAPhrS8/1OZnG0MWXiXp/BwX1UAiUyRkah3B Uw75laGJa4cOrJbTsNMV7i2TRxVg5GDp2XUEonwKtY1ird7f3Mi1cTKCttJazApI s0nf4VlMuoJcq5PdzUETJSR15VXPc0e60/43EdQ04fQryCWs3gNah5h6PPdVNe/C WCy1nXRe89OEPfKHfg3ACEZDHfENMvR+FjimGsNKu6wquHIDNkWTCet83EbHmBnS rC9B8qkAupk9HBYpZDkefBs3xm0zwW4wCMpS/lbt/y/I7FWljMIWFjhSpwARAQAB tClDaGFyZ2lmeSBTZWN1cml0eSA8c2VjdXJpdHlAY2hhcmdpZnkuY29tPokCVAQT AQgAPhYhBHIwo8w4s+zSI6v8tPn0m6Hu9ohOBQJb/vcqAhsDBQkB4TOABQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAAoJEPn0m6Hu9ohOgpcP/3H9ZHRrPazk7u6QrS/F BOdQb7Xeinw48vN4AvbMc9+6ZmVwgpNZAnmNDOp281Cy3HmSJHur+u6qOFLE7zzU ukmkU1xRr0VZDn/zC/POGEceUI1wUylsjRIu0gA7kJ7vifC2k8y1t9EATM/8z3hI md5ymIjdUSO90IuyChiJMDtOBivTaqtnDU8Y+X8MtgsHFuJLN98mIZD9goqpXmZT 9mb/OYsPlU5SOaDQRLGJhL2UG3QKeH66W1ogZbI/rxZ7tlLXV3F5HBmntB8KMVmW ecaBFwSVs5/lGeGGQE6VrWqBuhptbYuLgP6lu3gZz55V75z6cubrUVwgHoUYQzA6 /gPS8Ja6hN4dwEGvoCh/T5Jer7Rh8rZqNXURVUqa+GTpLKlGdEDBtOxGr38EJgCu vImoRJ3AUzJTYYUBMghyjn9rYtNFpBy9mXK3oKKM+KsF2SRyRpqlVevsN/XtsV9/ cJGclISPaI2KTXDY5YPXXWXOLTSrT/FLHjYm4jK4SHiM65GdsJOAPbWiuOwOTtZJ tYd4GjxNdNYWa7DThu+2tLUydk5zNWTgcULkx24yokKBHw9Mb0J1fvUK2TEY9Hlc YOPUj0hIfu4N4Yx7mkOaSkfzZQqPCQful1dosawE9AOMbCyviUnMTCQFSYhCQ85M ByXXfdkC5JYhCm7PWDeL3R0vuQINBFv+9yoBEADsFAXRJUoJq2Z8FhntNZZPajhj qprN19deCftRhopP6adABVxBbFHYtLx1aWqG7lNN1HoJnNWN8740uNcWOhZWE7Lm XNyFuTNnLK2MAOjACi+uu7Cqf/7pkWhdRDzQCNp4m9IfYnxe6A76zQfnSI/vCXoZ x3IesqfraKp9IPF9M6wTBy4E/nGHmDICbyljhWJs8HEjlbSTmsBR4QWtpPc1oJIM fa5F9N05CrVfOQZCyiAcqTV/Cy+pYdQNoWvTdGJmoG86zWijmQuoHEbSUMbvh5Vi 2nrDGSBX9meXEqrj/DkLHPF0F0boaeTCw+baEGDyUdV/3LYTMlWtXwtzZQNq/9+w a7tZJJlt904sPw1W59Wyi+ihDUl8jo1kB7/ZKncqcbpKA6WZYCkJXAvybMLu49C/ jCS9KdNN6ImWGi4jJwAP1Tsjykr1xDwOCZibWY3ns7xyQlr+uVTC3nbktgooDyQk DaszqC6irO4OOfkkotrFzn3NvZGdbKRVmc/WRcnnlIRCgVF3Y7PoSJnLCD8+D7Bs ertT2X2Yw+u//nfZ11lQ2ZhkP+ZGQGb5AGOJg9IoRcha/5NjG4GzoItfLUImBZpz ieHGtuo85O42sbfGWEoh4nmACiavAjdpV+EqPJBit+glMOhYgmtECI2EOG15KQfE KcFh53j9CsDIvlvDRQARAQABiQI8BBgBCAAmFiEEcjCjzDiz7NIjq/y0+fSboe72 iE4FAlv+9yoCGwwFCQHhM4AACgkQ+fSboe72iE6HsxAAysikpB+F0WtkC60rV7wg ZQZC9yTBHWTzNlJFOzJRqc7dWx+oNBC+cZ8cp1agQD5xtVep2p6L25+PZBK+CxIA rZ3COyDGyOlv8aj3juFzgXvtN4YhRGKa5FL9pa7Ynt0heSAjnHorHg/wb7LLWzE6 H/9i6xyeQ8ZyVhay7j8k/tYMLg0nAjXxNKyhwy3EQ8G3ouWWNNfBqyQwyrwgxAMY nWM7hObajIB6E60QDlHRpXH3EXrFb/EQIiBApMpsNd3guGmL+vfTgKVTztOA3o+g KiO3PSziFqDA/ZhwIpo6prGCj0ocPaY9vhnvw+htLs4vcIPYLblNWGdjgdJAa5eO oX2S46+dkWq1u3NnIcV+Bn+j7+UJOC8VHPC1c/h5krCyPXJxgHwMIaZs4J0XH55g c+fP03dQewSgkyfgLWEk+3GDfsMivkRFjwLJscYp6HDcZ3ek6kTBk4UbqsnACkea He9vpXvihrNPqLYROsp6mMsLWsmj3hBcD5ZrgQVikyLuCi/vI1eEOVoDEP/KiD2f Z/UgbJJaTdQq09g+OhtaM4Iz549ItLUeMzUCqFDnlsyzMChOya1JsnHl8CstgzZd YAegO38vKBk8lWlTAzGuuoNizkLdNityGz4LpIeF7FcjdtDaMjif/NSV12LSEUwt rSJpn+Pc8LUqocy23oSBxcs= =OD5G -----END PGP PUBLIC KEY BLOCK-----
Key ID:
EEF6884E
Key type:
RSA
Key size:
4096
User ID:
Chargify Security (security@chargify.com)
Fingerprint:
7230 A3CC 38B3 ECD2 23AB FCB4 F9F4 9BA1 EEF6 884E
Expires:
2019-11-28

Help Us Keep Chargify Secure

We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

If you believe you have discovered a potential flaw in any area of Chargify's security measures, we ask that you please share the information with us first and retain secrecy of your findings until we have remediated the issue.

If you have identified a vulnerability, report it via email to security@chargify.com

We ask that you follow these rules for any responsible use of our system:

  • You may create a test account with the following limits: TWO accounts each with no more than TWO sites and TWO users.
  • Not in scope: Any ancillary sites not directly hosted by Chargify (such as reference.chargify.com, status.chargify.com, help.chargify.com. Zendesk, Tumblr, etc)
  • All data object creation is limited to a maximum of 50 objects per type
  • No automated off-the-shelf scanners (like Acunetix or the Burp Suite Scanner). We’ve had these run hundreds of times already
  • Scripted / API tests must be rate limited to 1 request per second
  • Absolutely NO attacks or exploits against accounts not created by you. You may only attempt cross-account access between two accounts controlled by YOU
  • No DOS/DDOS tests
  • Absolutely no physical testing such as office access (e.g. open doors, tailgaiting).
  • Absolutely no social engineering (e.g. phishing, vishing).

We ask that you please do not submit low value issues when there are only loose connections to known best practices, unless you can demonstrate a chained attack with higher impact. Google maintains an exhaustive list with explanations. This also includes things like:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers

© 2019 Chargify® LLC. All rights reserved.